{"data":{"id":"ac789f7e-bf6d-4043-8b3e-c770d8f1d09b","title":"Exploiting Kubernetes’ Image Pull Implementation to Deny Node Availability","summary":"Kubernetes (K8s, a system that manages containerized applications across multiple computers) has a vulnerability in how it handles container image downloads through the CRI-API (the interface between Kubernetes and container runtimes). Because Kubernetes cannot monitor the status of these downloads, attackers can exploit this to launch denial-of-service attacks that consume up to 95% of CPU usage and exhaust network and storage resources on worker nodes indefinitely.","solution":"The source proposes MAGI, an eBPF-based (a technology that allows low-level monitoring within the Linux kernel) proof-of-concept mitigation that detects and terminates potential attacks. However, the source notes that a permanent fix would require fundamental architectural changes to how Kubernetes and the CRI-API interact, which is not feasible in the short term.","labels":["security","research"],"sourceUrl":"http://ieeexplore.ieee.org/document/11283066","publishedAt":"2025-12-08T13:17:42.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"info","attackType":["denial_of_service"],"issueType":"research","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":[],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2025-12-08T13:17:42.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":"peer_reviewed","atlasIds":null}}